├── chart ├── templates │ ├── NOTES.txt │ ├── issuer.yaml │ ├── configmap.yaml │ ├── svc.yaml │ ├── cert.yaml │ ├── mutating-webhook.yaml │ └── deploy.yaml ├── .gitignore ├── Chart.yaml ├── .helmignore └── values.yaml ├── .gitignore ├── go.mod ├── Dockerfile.dev ├── config.example.yaml ├── Dockerfile ├── mutate ├── config.go ├── mutate_test.go └── mutate.go ├── cmd ├── normalize-docker-image-name │ └── normalize-docker-image-name.go └── patch-docker-image-name │ └── patch-docker-image-name.go ├── tests └── manifests │ ├── simple │ ├── deploy.yaml │ └── sts.yaml │ └── initContainers │ └── deploy.yaml ├── flake.lock ├── flake.nix ├── main.go ├── README.md ├── create-cert.sh ├── LICENSE └── go.sum /chart/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chart/.gitignore: -------------------------------------------------------------------------------- 1 | # for local dev 2 | val.yaml 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | result* 2 | .*.*.sw* 3 | .*.sw* 4 | normalize-docker-image-name 5 | patch-docker-image-name 6 | k8s-proxy-image-swapper 7 | -------------------------------------------------------------------------------- /chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: k8s-proxy-image-swapper 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.3.4 6 | appVersion: 0.3.3 7 | -------------------------------------------------------------------------------- /chart/templates/issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: selfsigned-webhook 5 | namespace: {{ .Values.namespace }} 6 | spec: 7 | selfSigned: {} 8 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/Polyconseil/k8s-proxy-image-swapper 2 | 3 | go 1.15 4 | 5 | require ( 6 | gopkg.in/yaml.v2 v2.4.0 7 | k8s.io/api v0.21.3 8 | k8s.io/apimachinery v0.21.3 9 | ) 10 | -------------------------------------------------------------------------------- /chart/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: k8s-proxy-image-swapper-config 5 | namespace: {{ .Values.namespace }} 6 | data: 7 | config.yaml: | 8 | {{ .Values.config | toYaml | indent 4 -}} 9 | -------------------------------------------------------------------------------- /Dockerfile.dev: -------------------------------------------------------------------------------- 1 | FROM golang:1.17 AS build 2 | 3 | WORKDIR / 4 | ENV GO111MODULE=on 5 | COPY go.mod go.sum ./ 6 | RUN go mod download 7 | COPY . . 8 | RUN CGO_ENABLED=0 go build 9 | 10 | FROM ubuntu:21.04 11 | COPY --from=build ./k8s-proxy-image-swapper . 12 | ENTRYPOINT [ "sleep 1000000" ] 13 | -------------------------------------------------------------------------------- /config.example.yaml: -------------------------------------------------------------------------------- 1 | port: 8443 2 | # change tlsdirpath path accordingly if you change this 3 | tlskeypath: "/tls/key.pem" 4 | ignoreimages: 5 | - registry 6 | - registry.example.com/toto/k8s-proxy-image-swapper 7 | # change tlsdirpath path accordingly if you change this 8 | tlscertpath: "/tls/cert.pem" 9 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.17 AS build 2 | 3 | WORKDIR / 4 | ENV GO111MODULE=on 5 | COPY go.mod go.sum ./ 6 | RUN go mod download 7 | COPY . . 8 | RUN CGO_ENABLED=0 go build 9 | 10 | FROM scratch 11 | USER 1000 12 | COPY --from=build ./k8s-proxy-image-swapper . 13 | ENTRYPOINT [ "./k8s-proxy-image-swapper" ] 14 | -------------------------------------------------------------------------------- /chart/templates/svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | namespace: {{ .Values.namespace }} 6 | name: k8s-pisw 7 | spec: 8 | type: ClusterIP 9 | selector: 10 | app: k8s-proxy-image-swapper-webhook 11 | ports: 12 | - protocol: TCP 13 | port: 443 14 | targetPort: 8443 15 | -------------------------------------------------------------------------------- /chart/templates/cert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: webhook-certificate 5 | namespace: {{ .Values.namespace }} 6 | spec: 7 | secretName: webhook-certificate 8 | dnsNames: 9 | - k8s-pisw.{{ .Values.namespace }}.svc 10 | issuerRef: 11 | name: selfsigned-webhook 12 | -------------------------------------------------------------------------------- /mutate/config.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | package mutate 3 | 4 | type Config struct { 5 | TLSCertPath string `yaml:"tlscertpath"` 6 | TLSKeyPath string `yaml:"tlskeypath"` 7 | Port string `yaml:"port"` 8 | IgnoreImages []string `yaml:"ignoreimages"` 9 | } 10 | 11 | var Configuration Config 12 | -------------------------------------------------------------------------------- /cmd/normalize-docker-image-name/normalize-docker-image-name.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | m "github.com/Polyconseil/k8s-proxy-image-swapper/mutate" 6 | "os" 7 | ) 8 | 9 | func main() { 10 | if len(os.Args) == 1 { 11 | os.Exit(1) 12 | } 13 | 14 | for _, v := range os.Args[1:] { 15 | fmt.Printf("%s ", m.GetPatchedImageUrl(v, "docker.io")) 16 | } 17 | fmt.Printf("\n") 18 | } 19 | -------------------------------------------------------------------------------- /tests/manifests/simple/deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: test-deploy 6 | name: test-deploy 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: test-deploy 12 | template: 13 | metadata: 14 | labels: 15 | app: test-deploy 16 | spec: 17 | containers: 18 | - image: nginx 19 | name: nginx 20 | -------------------------------------------------------------------------------- /cmd/patch-docker-image-name/patch-docker-image-name.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | m "github.com/Polyconseil/k8s-proxy-image-swapper/mutate" 6 | "os" 7 | ) 8 | 9 | func main() { 10 | if len(os.Args) < 3 { 11 | os.Exit(1) 12 | } 13 | 14 | registry := os.Args[1] 15 | 16 | for _, v := range os.Args[2:] { 17 | fmt.Printf("%s ", m.GetPatchedImageUrl(v, registry)) 18 | } 19 | fmt.Printf("\n") 20 | } 21 | -------------------------------------------------------------------------------- /chart/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /tests/manifests/initContainers/deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: test-deploy 6 | name: test-deploy 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: test-deploy 12 | template: 13 | metadata: 14 | labels: 15 | app: test-deploy 16 | spec: 17 | initContainers: 18 | - image: busybox:1.33 19 | args: 20 | - ls 21 | name: init 22 | containers: 23 | - image: nginx 24 | name: nginx 25 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "nixpkgs": { 4 | "locked": { 5 | "lastModified": 1622456856, 6 | "narHash": "sha256-uvsP1HwSWH1ujkRBfJGa/0GnEge9jcEj7hTGP1x7X4k=", 7 | "path": "/nix/store/c8ps0q4jqlng16qpiqyr4wmylnlac858-source", 8 | "rev": "38fce8ec004b3e61c241e3b64c683f719644f350", 9 | "type": "path" 10 | }, 11 | "original": { 12 | "id": "nixpkgs", 13 | "type": "indirect" 14 | } 15 | }, 16 | "root": { 17 | "inputs": { 18 | "nixpkgs": "nixpkgs" 19 | } 20 | } 21 | }, 22 | "root": "root", 23 | "version": 7 24 | } 25 | -------------------------------------------------------------------------------- /tests/manifests/simple/sts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: StatefulSet 4 | metadata: 5 | labels: 6 | app: test-sts 7 | name: test-sts 8 | spec: 9 | serviceName: "test-sts" 10 | replicas: 1 11 | selector: 12 | matchLabels: 13 | app: test-sts 14 | template: 15 | metadata: 16 | labels: 17 | app: test-sts 18 | spec: 19 | containers: 20 | - image: nginx 21 | name: nginx 22 | --- 23 | apiVersion: v1 24 | kind: Service 25 | metadata: 26 | labels: 27 | app: test-sts 28 | name: test-sts 29 | spec: 30 | selector: 31 | app: test-sts 32 | ports: 33 | - protocol: TCP 34 | port: 80 35 | targetPort: 80 36 | -------------------------------------------------------------------------------- /chart/templates/mutating-webhook.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.enableMutatingWebhook }} 2 | --- 3 | apiVersion: admissionregistration.k8s.io/v1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: "k8s-proxy-image-swapper-webhook" 7 | namespace: {{ .Values.namespace }} 8 | annotations: 9 | cert-manager.io/inject-ca-from: {{ .Values.namespace }}/webhook-certificate 10 | webhooks: 11 | - name: "k8s-pisw.{{ .Values.namespace }}.svc" 12 | rules: 13 | - apiGroups: [""] 14 | apiVersions: ["v1"] 15 | operations: 16 | - "*" 17 | resources: ["pods"] 18 | clientConfig: 19 | service: 20 | namespace: {{ .Values.namespace }} 21 | name: "k8s-pisw" 22 | path: /mutate 23 | admissionReviewVersions: ["v1", "v1beta1"] 24 | sideEffects: None 25 | # Set to ignore so that when no worker nodes are available, 26 | # pods can still be scheduled. 27 | # However, this might introduce failures that this service is there 28 | # to prevent from happening. 29 | failurePolicy: Ignore 30 | timeoutSeconds: 1 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /chart/values.yaml: -------------------------------------------------------------------------------- 1 | replicaCount: 2 2 | image: 3 | repository: registry.example.com/toto/k8s-proxy-image-swapper 4 | pullPolicy: IfNotPresent 5 | tag: "v0.3.3" 6 | 7 | namespace: k8s_pisw 8 | 9 | # Change config.{tlskeypath,tlscertpath} accordingly if you change this 10 | tlsdirpath: "/tls" 11 | 12 | enableMutatingWebhook: true 13 | 14 | # See example at the root of the repo in ./config.example.yml 15 | config: 16 | port: 8443 17 | # change tlsdirpath path accordingly if you change this 18 | tlskeypath: "/tls/tls.key" 19 | ignoreimages: 20 | - registry 21 | - registry.example.com/toto/k8s-proxy-image-swapper 22 | # change tlsdirpath path accordingly if you change this 23 | tlscertpath: "/tls/tls.crt" 24 | 25 | securityContext: 26 | #capabilities: 27 | # drop: 28 | # - ALL 29 | # readOnlyRootFilesystem: true 30 | runAsNonRoot: true 31 | runAsUser: 1000 32 | 33 | enableDebug: false 34 | 35 | resources: 36 | requests: 37 | memory: "64Mi" 38 | cpu: "250m" 39 | limits: 40 | memory: "128Mi" 41 | cpu: "500m" 42 | 43 | # You can obtain this value the following way : 44 | # kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' 45 | # Note that this doesn't work on k3s since CAs are used differently. You need to 46 | # use the CA base64 in /var/lib/rancher/k3s/server/tls/server-ca.crt 47 | caBundle: {} 48 | # This must be resolvable from inside the cluster (on the nodes) in HTTPS 49 | registryUrl: docker-registry-internal.example.com 50 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "A very basic flake"; 3 | 4 | outputs = { self, nixpkgs }: { 5 | 6 | packages.x86_64-linux = 7 | let 8 | pkgs = import nixpkgs { system = "x86_64-linux"; }; 9 | vendorSha256 = "sha256-rHaqxAb27amS36msMo3Ry70UWzTbuK/jT4HLKkeDP4Y="; 10 | in rec { 11 | patch-docker-image-name = pkgs.buildGoModule { 12 | CGO_ENABLED = "0"; 13 | pname = "patch-docker-image-name"; 14 | version = "0.1.1"; 15 | 16 | src = ./.; 17 | 18 | inherit vendorSha256; 19 | subPackages = [ "cmd/patch-docker-image-name" ]; 20 | }; 21 | 22 | normalize-docker-image-name = pkgs.buildGoModule { 23 | CGO_ENABLED = "0"; 24 | pname = "normalize-docker-image-name"; 25 | version = "0.1.1"; 26 | 27 | src = ./.; 28 | 29 | inherit vendorSha256; 30 | subPackages = [ "cmd/normalize-docker-image-name" ]; 31 | }; 32 | 33 | k8s-proxy-image-swapper = pkgs.buildGoModule { 34 | CGO_ENABLED = "0"; 35 | 36 | pname = "k8s-proxy-image-swapper"; 37 | version = "0.3.3"; 38 | 39 | src = ./.; 40 | 41 | inherit vendorSha256; 42 | subPackages = [ "." ]; 43 | }; 44 | 45 | oci-k8s-proxy-image-swapper = pkgs.dockerTools.buildLayeredImage { 46 | name = "oci-k8s-proxy-image-swapper"; 47 | contents = [ k8s-proxy-image-swapper ]; 48 | config = { 49 | Entrypoint = [ "${k8s-proxy-image-swapper}/bin/k8s-proxy-image-swapper" ]; 50 | User = "1000:1000"; 51 | }; 52 | }; 53 | }; 54 | 55 | defaultPackage.x86_64-linux = self.packages.x86_64-linux.k8s-proxy-image-swapper; 56 | 57 | }; 58 | } 59 | -------------------------------------------------------------------------------- /chart/templates/deploy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | namespace: {{ .Values.namespace }} 6 | name: k8s-proxy-image-swapper-webhook-deployment 7 | labels: 8 | app: k8s-proxy-image-swapper-webhook 9 | spec: 10 | replicas: {{ .Values.replicaCount }} 11 | selector: 12 | matchLabels: 13 | app: k8s-proxy-image-swapper-webhook 14 | template: 15 | metadata: 16 | labels: 17 | app: k8s-proxy-image-swapper-webhook 18 | spec: 19 | securityContext: 20 | {{- toYaml .Values.securityContext | nindent 8 }} 21 | containers: 22 | - name: k8s-proxy-image-swapper-webhook 23 | env: 24 | {{ if .Values.enableDebug -}} 25 | - name: LOGLEVEL 26 | value: DEBUG 27 | {{- end }} 28 | - name: REGISTRY_URL 29 | value: {{ .Values.registryUrl }} 30 | image: {{ .Values.image.repository}}:{{ .Values.image.tag }} 31 | imagePullPolicy: {{ .Values.image.pullPolicy }} 32 | args: ["/config/config.yaml"] 33 | ports: 34 | - containerPort: 8443 35 | volumeMounts: 36 | - name: k8s-proxy-image-swapper-config 37 | mountPath: "/config" 38 | readOnly: true 39 | - name: k8s-proxy-image-swapper-tls-secret 40 | mountPath: {{ .Values.tlsdirpath }} 41 | readOnly: true 42 | resources: 43 | {{- toYaml .Values.resources | nindent 10 }} 44 | volumes: 45 | - name: k8s-proxy-image-swapper-config 46 | configMap: 47 | optional: false 48 | name: k8s-proxy-image-swapper-config 49 | items: 50 | - key: config.yaml 51 | path: config.yaml 52 | - name: k8s-proxy-image-swapper-tls-secret 53 | secret: 54 | secretName: webhook-certificate 55 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | 3 | package main 4 | 5 | import ( 6 | "fmt" 7 | m "github.com/Polyconseil/k8s-proxy-image-swapper/mutate" 8 | "gopkg.in/yaml.v2" 9 | "html" 10 | "io/ioutil" 11 | "log" 12 | "net/http" 13 | "os" 14 | "time" 15 | ) 16 | 17 | func handleRoot(w http.ResponseWriter, r *http.Request) { 18 | fmt.Fprintf(w, "hello %q", html.EscapeString(r.URL.Path)) 19 | } 20 | 21 | func handleMutation(w http.ResponseWriter, r *http.Request) { 22 | debug := os.Getenv("LOGLEVEL") == "DEBUG" 23 | if debug { 24 | fmt.Println("handleMutation called") 25 | } 26 | 27 | body, err := ioutil.ReadAll(r.Body) 28 | defer r.Body.Close() 29 | 30 | if err != nil { 31 | log.Println(err) 32 | fmt.Fprintf(w, "%s", err) 33 | return 34 | } 35 | 36 | registry := os.Getenv("REGISTRY_URL") 37 | 38 | mutated, err := m.Mutate(body, debug, registry) 39 | if err != nil { 40 | log.Println(err) 41 | fmt.Fprintf(w, "%s", err) 42 | return 43 | } 44 | 45 | w.WriteHeader(http.StatusOK) 46 | _, err = w.Write(mutated) 47 | if err != nil { 48 | log.Println("Failed writing HTTP response") 49 | } 50 | } 51 | 52 | func main() { 53 | if len(os.Args) == 1 { 54 | log.Fatalf("Usage : %v $CONFIG_FILE_PATH\n", os.Args[0]) 55 | return 56 | } 57 | configFile, err := os.Open(os.Args[1]) 58 | if err != nil { 59 | log.Fatalf("Error opening %v : %v\n", os.Args[1], err) 60 | } 61 | 62 | var config m.Config 63 | decoder := yaml.NewDecoder(configFile) 64 | err = decoder.Decode(&config) 65 | if err != nil { 66 | log.Fatalf("Error reading config : %v\n", err) 67 | } 68 | configFile.Close() 69 | 70 | m.Configuration = config 71 | 72 | log.Println("Starting server ...") 73 | 74 | mux := http.NewServeMux() 75 | 76 | mux.HandleFunc("/", handleRoot) 77 | mux.HandleFunc("/mutate", handleMutation) 78 | 79 | s := &http.Server{ 80 | Addr: ":" + config.Port, 81 | Handler: mux, 82 | ReadTimeout: 10 * time.Second, 83 | WriteTimeout: 10 * time.Second, 84 | MaxHeaderBytes: 1 << 20, // 1_048_576 85 | } 86 | 87 | log.Fatal(s.ListenAndServeTLS(config.TLSCertPath, config.TLSKeyPath)) 88 | } 89 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # K8s proxy image swapper 2 | 3 | This project redirects all public images to an (internal) proxy by dynamically 4 | renaming those images. The proxy is configured through `PROXY_URL`. 5 | 6 | The goal is to prevent errors from dockerhub usage rate limit by providing a 7 | cache as well as doing some security analysis on the proxy side. 8 | (Note that this project only patches images name, to redirect them on a proxy 9 | registry; it does not deploy the proxy by itself. 10 | the official docker-registry can be configured as a proxy registry). 11 | 12 | Patching is done automatically, there is no need to change anything on 13 | your deployments. 14 | 15 | Images patched by k8s-proxy-image-swapper (k8s-pisw) also have a label 16 | "k8s-proxy-image-swapper: patched-image", to recognize them. 17 | 18 | # Setup 19 | 20 | Certificates are managed by Cert-manager. Be sure to install it on your cluster 21 | before using this software. 22 | 23 | Afterwards you can use the helm chart in ./chart to deploy this software. 24 | You need to have the image of the patcher built and pushed on a custom registry, 25 | because no exception is currently made on k8s-proxy-image-swapper (self). 26 | You need to provide the base64 of the CA for the cluster. Further details 27 | are available in ./chart/values.yaml. 28 | 29 | # Troubleshouting 30 | 31 | In case of issue with image patching, to remove image-swapper, use the following command: 32 | 33 | `kubectl delete mutatingwebhookconfiguration k8s-proxy-image-swapper-webhook` 34 | 35 | This will delete the webhook and unblock your cluster. Upgrade the chart to reinstate 36 | the webhook. 37 | 38 | # Inner working 39 | 40 | This software uses MutatingWebHook (from dynamic admission control in k8s) 41 | to patch the `image` field in a pod (`containers` and `initContainers`) to 42 | use a proxy registry (docker registry for instance). 43 | 44 | See the unit tests in `mutate/mutate_test.go` for patching examples. 45 | Note that this image must be stored in a registry different than the 46 | Docker Hub. Otherwise you may have a chicken and egg problem. 47 | 48 | The simple solution to unblock yourself when the proxy doesn't work for instance 49 | is to simply delete the mutating webhook : 50 | `kubectl delete MutatingWebHookConfiguration -n kube-system k8s-proxy-image-swapper-webhook` 51 | 52 | # Contributing 53 | 54 | Contributions implies licensing those contributions under the terms of LICENSE. 55 | 56 | The GitHub repository https://github.com/Polyconseil/k8s-proxy-image-swapper 57 | is the official repository. 58 | 59 | To contribute you need a GitHub account. 60 | 61 | ## Opening issues 62 | 63 | Please make sure there is no open issue on the topic. 64 | 65 | ## Submitting changes 66 | 67 | Please format the commit messages according to semantic-release. 68 | 69 | A good commit message includes relevant information about *why* a change 70 | has been made (this might also be a good idea to put this kind of information 71 | in comments), so that other developers can later understand why a change was made. 72 | 73 | The project follows a semver versionning scheme. 74 | 75 | # Architecture 76 | 77 | - ./main.go contains the setup code and configuration code. 78 | - ./mutate contains the code that patches the images. (if you ever modify this 79 | code, please run the tests and add or modify the tests accordingly). 80 | - ./chart contains the chart to deploy the software. 81 | - ./tests contains some manifests to help test the software. 82 | 83 | 84 | ## Building 85 | The Docker image can be build with the Dockerfile with : 86 | 87 | ``` 88 | docker build . 89 | ``` 90 | 91 | Or with Nix : 92 | 93 | ``` 94 | nix build .#packages.x86_64-linux.oci-k8s-proxy-image-swapper 95 | ``` 96 | -------------------------------------------------------------------------------- /mutate/mutate_test.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | package mutate 3 | 4 | import "testing" 5 | 6 | type TestImageCase struct { 7 | image string 8 | registry string 9 | expected string 10 | } 11 | 12 | func TestConcatenation(t *testing.T) { 13 | arr := []string{"toto", "tata"} 14 | 15 | result := concatenateStringArray(arr, ":") 16 | if result != "toto:tata" { 17 | t.Errorf("concatenation is not working properly") 18 | } 19 | } 20 | 21 | func TestImage(t *testing.T) { 22 | testTable := []TestImageCase{ 23 | { 24 | image: "busybox:toto", 25 | registry: "example.com", 26 | expected: "example.com/docker.io/library/busybox:toto", 27 | }, 28 | { 29 | image: "busybox", 30 | registry: "example.com", 31 | expected: "example.com/docker.io/library/busybox:latest", 32 | }, 33 | { 34 | image: "toto/tata:titi", 35 | registry: "example.com", 36 | expected: "example.com/docker.io/toto/tata:titi", 37 | }, 38 | { 39 | image: "toto/tata", 40 | registry: "example.com", 41 | expected: "example.com/docker.io/toto/tata:latest", 42 | }, 43 | { 44 | image: "example.org/toto/tata:titi", 45 | registry: "example.com", 46 | expected: "example.com/example.org/toto/tata:titi", 47 | }, 48 | { 49 | image: "example.org/toto/tata", 50 | registry: "example.com", 51 | expected: "example.com/example.org/toto/tata:latest", 52 | }, 53 | { 54 | image: "docker.io/toto/tata:titi", 55 | registry: "example.com", 56 | expected: "example.com/docker.io/toto/tata:titi", 57 | }, 58 | { 59 | image: "docker.io/toto/tata", 60 | registry: "example.com", 61 | expected: "example.com/docker.io/toto/tata:latest", 62 | }, 63 | { 64 | image: "docker.io/busybox:titi", 65 | registry: "example.com", 66 | expected: "example.com/docker.io/library/busybox:titi", 67 | }, 68 | { 69 | image: "docker.io/busybox", 70 | registry: "example.com", 71 | expected: "example.com/docker.io/library/busybox:latest", 72 | }, 73 | { 74 | image: "gcr.io/busybox:titi", 75 | registry: "example.com", 76 | expected: "example.com/gcr.io/busybox:titi", 77 | }, 78 | { 79 | image: "gcr.io/toto/tata:titi", 80 | registry: "example.com", 81 | expected: "example.com/gcr.io/toto/tata:titi", 82 | }, 83 | { 84 | image: "gcr.io/toto/tata@sha256:XXXXX", 85 | registry: "example.com", 86 | expected: "example.com/gcr.io/toto/tata@sha256:XXXXX", 87 | }, 88 | { 89 | image: "gcr.io/toto/tata:titi@sha256:XXXXX", 90 | registry: "example.com", 91 | expected: "example.com/gcr.io/toto/tata:titi@sha256:XXXXX", 92 | }, 93 | { 94 | image: "gcr.io/toto/tata/titi:tag", 95 | registry: "example.com", 96 | expected: "example.com/gcr.io/toto/tata/titi:tag", 97 | }, 98 | { 99 | image: "registry.org/toto/tata/titi:tag", 100 | registry: "example.com", 101 | expected: "example.com/registry.org/toto/tata/titi:tag", 102 | }, 103 | { 104 | image: "toto/tata/titi:tag", 105 | registry: "example.com", 106 | expected: "example.com/docker.io/toto/tata/titi:tag", 107 | }, 108 | { 109 | image: "quay.io/toto/tata", 110 | registry: "example.com", 111 | expected: "example.com/quay.io/toto/tata:latest", 112 | }, 113 | } 114 | 115 | for _, test := range testTable { 116 | res := GetPatchedImageUrl(test.image, test.registry) 117 | 118 | 119 | if res != test.expected { 120 | 121 | t.Errorf("Error test image : %v, registry : %v, expected : %v, got %v\n", 122 | test.image, 123 | test.registry, 124 | test.expected, 125 | res) 126 | } 127 | } 128 | } 129 | -------------------------------------------------------------------------------- /create-cert.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script comes from https://github.com/morvencao/kube-mutating-webhook-tutorial/ 4 | set -e 5 | 6 | usage() { 7 | cat <> "${tmpdir}"/csr.conf 64 | [req] 65 | req_extensions = v3_req 66 | distinguished_name = req_distinguished_name 67 | [req_distinguished_name] 68 | [ v3_req ] 69 | basicConstraints = CA:FALSE 70 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 71 | extendedKeyUsage = serverAuth 72 | subjectAltName = @alt_names 73 | [alt_names] 74 | DNS.1 = ${service} 75 | DNS.2 = ${service}.${namespace} 76 | DNS.3 = ${service}.${namespace}.svc 77 | EOF 78 | 79 | openssl genrsa -out "${tmpdir}"/server-key.pem 2048 80 | openssl req -new -key "${tmpdir}"/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out "${tmpdir}"/server.csr -config "${tmpdir}"/csr.conf 81 | 82 | # clean-up any previously created CSR for our service. Ignore errors if not present. 83 | kubectl delete csr ${csrName} 2>/dev/null || true 84 | 85 | # create server cert/key CSR and send to k8s API 86 | cat <&2 122 | exit 1 123 | fi 124 | echo "${serverCert}" | openssl base64 -d -A -out "${tmpdir}"/server-cert.pem 125 | 126 | 127 | # create the secret with CA cert and server cert/key 128 | kubectl create secret generic ${secret} \ 129 | --from-file=key.pem="${tmpdir}"/server-key.pem \ 130 | --from-file=cert.pem="${tmpdir}"/server-cert.pem \ 131 | --dry-run -o yaml | 132 | kubectl -n ${namespace} apply -f - 133 | -------------------------------------------------------------------------------- /mutate/mutate.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | package mutate 3 | 4 | import ( 5 | "encoding/json" 6 | "fmt" 7 | "log" 8 | "strings" 9 | 10 | v1beta1 "k8s.io/api/admission/v1beta1" 11 | corev1 "k8s.io/api/core/v1" 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 13 | ) 14 | 15 | // registry/namespace/image:tag 16 | type dockerImageUrl struct { 17 | registry string 18 | namespace string 19 | image string 20 | tag string 21 | } 22 | 23 | // takes toto:tata or toto, gives tata or latest 24 | func getImgTag(img string) string { 25 | imgTagArr := strings.Split(img, ":") 26 | tag := "latest" 27 | 28 | if len(imgTagArr) != 1 { 29 | tag = "" 30 | for _, v := range(imgTagArr[1:]) { 31 | tag += v + ":" 32 | } 33 | // remove last ":" 34 | tag = tag[:len(tag) - 1] 35 | } 36 | 37 | return tag 38 | } 39 | 40 | // takes toto:tata or toto, gives toto 41 | func getImgName(img string) string { 42 | imgTagArr := strings.Split(img, ":") 43 | return imgTagArr[0] 44 | } 45 | 46 | func concatenateStringArray(arr []string, separator string) string { 47 | result := "" 48 | 49 | for _, v := range arr { 50 | result += v + separator 51 | } 52 | // remove last separator 53 | result = result[: len(result) - len(separator)] 54 | return result 55 | } 56 | 57 | func getDockerImageUrl(img string) dockerImageUrl { 58 | imgArr := strings.Split(img, "/") 59 | // Not prefixed with a site 60 | if len(imgArr) == 1 { 61 | // Case busybox or busybox:tag 62 | return dockerImageUrl{ 63 | registry: "docker.io", // default 64 | namespace: "library", // default 65 | image: getImgName(img), 66 | tag: getImgTag(img), 67 | } 68 | } 69 | 70 | imgUrl := imgArr[0] 71 | // Case docker.io/busybox 72 | if len(imgArr) == 2 && imgUrl == "docker.io" { 73 | return dockerImageUrl{ 74 | registry: imgUrl, 75 | namespace: "library", 76 | image: getImgName(imgArr[1]), 77 | tag: getImgTag(imgArr[1]), 78 | } 79 | } 80 | 81 | // Case toto/tata (and ! gcr.io/toto) 82 | if len(imgArr) == 2 && !strings.Contains(imgUrl, ".") { 83 | return dockerImageUrl{ 84 | registry: "docker.io", 85 | namespace: imgArr[0], 86 | image: getImgName(imgArr[1]), 87 | tag: getImgTag(imgArr[1]), 88 | } 89 | } 90 | 91 | if len(imgArr) == 2 && strings.Contains(imgUrl, ".") { 92 | return dockerImageUrl{ 93 | registry: imgUrl, 94 | namespace: "", // ??? TODO does it exist? 95 | image: getImgName(imgArr[1]), 96 | tag: getImgTag(imgArr[1]), 97 | } 98 | } 99 | 100 | // case toto.io/tata/titi[:tag] 101 | // or case toto.io/tata/titi/toto[:tag] 102 | if strings.Contains(imgUrl, ".") { 103 | return dockerImageUrl{ 104 | registry: imgArr[0], 105 | namespace: concatenateStringArray(imgArr[1: len(imgArr) - 1], "/"), 106 | image: getImgName(imgArr[len(imgArr) - 1]), 107 | tag: getImgTag(imgArr[len(imgArr) - 1]), 108 | } 109 | } else { 110 | // case toto/tata/titi:tag 111 | return dockerImageUrl{ 112 | registry: "docker.io", 113 | namespace: concatenateStringArray(imgArr[: len(imgArr) - 1], "/"), 114 | image: getImgName(imgArr[len(imgArr) - 1]), 115 | tag: getImgTag(imgArr[len(imgArr) - 1]), 116 | } 117 | } 118 | } 119 | 120 | func (i dockerImageUrl) String() string { 121 | if i.namespace == "" { 122 | return fmt.Sprintf("%s/%s:%s", 123 | i.registry, 124 | i.image, 125 | i.tag) 126 | } 127 | return fmt.Sprintf("%s/%s/%s:%s", 128 | i.registry, 129 | i.namespace, 130 | i.image, 131 | i.tag) 132 | } 133 | 134 | func isSameImage(image1, image2 dockerImageUrl) bool { 135 | return image1.registry == image2.registry && 136 | image1.namespace == image2.namespace && 137 | image1.image == image2.image 138 | } 139 | 140 | func GetPatchedImageUrl(img, registry string) string { 141 | patchimg := getDockerImageUrl(img) 142 | 143 | // Ignore images from IgnoreImages 144 | for _, image := range Configuration.IgnoreImages { 145 | if getDockerImageUrl(image).String() == patchimg.String() || 146 | isSameImage(getDockerImageUrl(image), patchimg) { 147 | return patchimg.String() 148 | } 149 | } 150 | 151 | // any.io/toto/tata -> proxy.io/any.io/toto/tata 152 | if patchimg.registry != registry { 153 | patchimg.registry = registry + "/" + patchimg.registry 154 | } 155 | 156 | return patchimg.String() 157 | } 158 | 159 | func getPatchFromContainerList(ctn []corev1.Container, registry, containerType string) []map[string]interface{} { 160 | patchList := []map[string]interface{}{} 161 | for i := range ctn { 162 | img := ctn[i].Image 163 | 164 | patchedImg := GetPatchedImageUrl(img, registry) 165 | 166 | // No need to patch if it's the same 167 | if img == patchedImg { 168 | continue 169 | } 170 | 171 | patch := map[string]interface{}{ 172 | "op": "replace", 173 | "path": fmt.Sprintf("/spec/%s/%d/image", containerType, i), 174 | "value": patchedImg, 175 | } 176 | patchList = append(patchList, patch) 177 | } 178 | 179 | return patchList 180 | } 181 | 182 | func Mutate(body []byte, verbose bool, registry string) ([]byte, error) { 183 | if verbose { 184 | log.Printf("recv: %s\n", string(body)) 185 | } 186 | 187 | admReview := v1beta1.AdmissionReview{} 188 | if err := json.Unmarshal(body, &admReview); err != nil { 189 | return nil, fmt.Errorf("Unmarshaling request error %w", err) 190 | } 191 | 192 | var err error 193 | var pod *corev1.Pod 194 | 195 | responseBody := []byte{} 196 | ar := admReview.Request 197 | resp := v1beta1.AdmissionResponse{} 198 | 199 | if ar == nil { 200 | if verbose { 201 | log.Printf("resp: %s\n", string(responseBody)) 202 | } 203 | 204 | return responseBody, nil 205 | } 206 | 207 | if err := json.Unmarshal(ar.Object.Raw, &pod); err != nil { 208 | log.Println("Unmarshal pod json error", err) 209 | return nil, fmt.Errorf("Unmarshal pod json error %w", err) 210 | } 211 | 212 | resp.Allowed = true 213 | resp.UID = ar.UID 214 | pT := v1beta1.PatchTypeJSONPatch 215 | resp.PatchType = &pT 216 | 217 | resp.AuditAnnotations = map[string]string{ 218 | "k8s-proxy-image-swapper": "mutated", 219 | } 220 | 221 | patchList := getPatchFromContainerList(pod.Spec.Containers, registry, "containers") 222 | patchList = append(patchList, getPatchFromContainerList(pod.Spec.InitContainers, registry, "initContainers")...) 223 | annotationsPatch := map[string]interface{}{ 224 | "op": "add", 225 | "path": "/metadata/annotations", 226 | "value": map[string]string { 227 | "k8s-proxy-image-swapper": "patched-image", 228 | }, 229 | } 230 | if len(patchList) != 0 { 231 | patchList = append(patchList, annotationsPatch) 232 | } 233 | 234 | resp.Patch, err = json.Marshal(patchList) 235 | if err != nil { 236 | log.Println("Error unmarshalling patchList into AdmissionResponse", err) 237 | return nil, fmt.Errorf("Error unmarshalling patchList into AdmissionResponse %w", err) 238 | } 239 | 240 | // We cannot fail 241 | resp.Result = &metav1.Status{ 242 | Status: "Success", 243 | } 244 | 245 | admReview.Response = &resp 246 | responseBody, err = json.Marshal(admReview) 247 | if err != nil { 248 | log.Println("FATAL Error ", err) 249 | return nil, err 250 | } 251 | return responseBody, nil 252 | } 253 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | 204 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 3 | github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= 4 | github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= 5 | github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= 6 | github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= 7 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 8 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 9 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 10 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 11 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 12 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 13 | github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= 14 | github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= 15 | github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= 16 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 17 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 18 | github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= 19 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= 20 | github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= 21 | github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= 22 | github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= 23 | github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= 24 | github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= 25 | github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= 26 | github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= 27 | github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= 28 | github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= 29 | github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= 30 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 31 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 32 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 33 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 34 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 35 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 36 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 37 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 38 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 39 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 40 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 41 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 42 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 43 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= 44 | github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 45 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 46 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 47 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 48 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 49 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 50 | github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= 51 | github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 52 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 53 | github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= 54 | github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 55 | github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 56 | github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 57 | github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= 58 | github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= 59 | github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 60 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= 61 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 62 | github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= 63 | github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 64 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 65 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 66 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 67 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 68 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 69 | github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= 70 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 71 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 72 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 73 | github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 74 | github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 75 | github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= 76 | github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= 77 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 78 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 79 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 80 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 81 | github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= 82 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 83 | github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 84 | github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= 85 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= 86 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= 87 | github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 88 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 89 | github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 90 | github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= 91 | github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= 92 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 93 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 94 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 95 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 96 | github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= 97 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 98 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 99 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 100 | github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= 101 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 102 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= 103 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 104 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 105 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 106 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 107 | golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 108 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 109 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 110 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 111 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 112 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 113 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 114 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 115 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 116 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 117 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 118 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 119 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 120 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 121 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 122 | golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 123 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 124 | golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 125 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 126 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 127 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 128 | golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 h1:OgUuv8lsRpBibGNbSizVwKWlysjaNzmC9gYMhPVfqFM= 129 | golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 130 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 131 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 132 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 133 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 134 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 135 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 136 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 137 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 138 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 139 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 140 | golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 141 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 142 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 143 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 144 | golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 145 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 146 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 147 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 148 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 149 | golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc= 150 | golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 151 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 152 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 153 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 154 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 155 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 156 | golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 157 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 158 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 159 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 160 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 161 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 162 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 163 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= 164 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 165 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 166 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 167 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 168 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 169 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= 170 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 171 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 172 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 173 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 174 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 175 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 176 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 177 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 178 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 179 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 180 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 181 | google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= 182 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 183 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 184 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 185 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= 186 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 187 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= 188 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 189 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 190 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= 191 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 192 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 193 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 194 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 195 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 196 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= 197 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 198 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 199 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 200 | k8s.io/api v0.21.3 h1:cblWILbLO8ar+Fj6xdDGr603HRsf8Wu9E9rngJeprZQ= 201 | k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg= 202 | k8s.io/apimachinery v0.21.3 h1:3Ju4nvjCngxxMYby0BimUk+pQHPOQp3eCGChk5kfVII= 203 | k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI= 204 | k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= 205 | k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= 206 | k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts= 207 | k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= 208 | k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= 209 | sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= 210 | sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno= 211 | sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= 212 | sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= 213 | sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= 214 | --------------------------------------------------------------------------------